Learning to Tell Security Stories: Better Context For Better Decision Making

Anyone who opens up a newspaper these days understands that information security is getting big press.  Unfortunately, our field often receives press for all the wrong reasons.  Many people harness all this media attention to paint a dark, stormy picture of fear, uncertainty, and doubt (FUD). It’s like hearing the Rolling Stones’ song, Doom and Gloom, playing on a never-ending loop. (BTW, it's a great song). Of course, most reasonable people prefer solutions to fear. How do you get to a state where “Jumpin Jack Flash” is playing on that loop instead?

Why?

I’ll begin by asking a fundamental question that I believe will lead us in the correct direction: Why do so many organizations struggle with detection, analysis, and response?

Let’s begin by understanding why organizations get compromised in the first place. Preparation and prevention are most definitely necessary and can help mitigate a large amount of security risk, but they are not sufficient in and of themselves. A prevention-only approach leaves organizations with an awful lot of risk left unmitigated.

How can organizations round out their risk mitigation picture? This is where detection, analysis, and response come in. Though some are quick to cast aside detection, I know from experience that, when implemented properly, detection can be a great tool to round out an organization’s risk mitigation picture.

But how can organizations address their detection, analysis, and response challenges? If I had to list a few fundamental and foundational areas of focus that get right to the essence of the matter, I would go with these:

  • Raise the signal-to-noise ratio
  • Enrich with additional context
  • Inform decisions

Let’s elaborate.

Become a story teller: Move to a narrative-driven model

Although the first question when investigating an alert ought to be, “What happened?” it is all too often “Where do I go to get the data I need?” To prove my point, when I look at most of the big breaches, disclosed or undisclosed, I see some common themes:

  • Alert fatigue: Organizations are drowning in alerts, false positives, and information but are starved for knowledge.
  • Lack of context: High volume of alerts coupled with difficulty in adding context (via analysis) complicates decision-making. The result is organizations often make poorly informed decisions or miss alerts that get lost in the noise.
  • Poor decision-making: Inability to make informed decisions leads to incorrect decisions and improper response.

So what’s the answer? Security operations and incident response field needs to move to a narrative-driven model. Let’s go back to and elaborate further on my points from earlier:

  • Raise the signal-to-noise ratio: Use a strategic content development process to develop alerting that matches risks, threats, goals, and priorities of concern to the organization. Throw out the default rule set. Don’t alert on things that don’t map to your strategic approach.
  • Enrich with additional context: Alerts are a snapshot and a moment in time. Leverage appropriate network, endpoint, mobile, and intelligence sources to build the narrative around what happened before, during, and after the alert fired.
  • Inform decisions: Present the analyst with a reasonable-length queue of narratives in place of a impossibly-long queue of alerts. Keep calm, proceed through analysis, and make informed decisions about response.

There are no silver bullets in the security realm, but I do think that the move to a narrative-driven model for security operations and incident response is long overdue. The move to a narrative-driven model begins with alert enrichment, which I personally employed with great success during my tenure on the operational side. Alert enrichment provided higher quality information, reduced the time required to reach an educated decision, and increased productivity. Context is king. Who wants to mitigate risk in a vacuum? I certainly don’t.